Merge pull request #86 from uc-cdis/feat/team_project_feature

Feat: team project feature

Author: pieterlukasse

README.md

@@ -118,7 +118,7 @@ cd tests/setup_local_db/
 JSON summary data endpoints:
 ```bash
 curl http://localhost:8080/sources | python -m json.tool
-curl http://localhost:8080/cohortdefinition-stats/by-source-id/1 | python -m json.tool
+curl "http://localhost:8080/cohortdefinition-stats/by-source-id/1/by-team-project?team-project=test" | python -m json.tool
 curl http://localhost:8080/concept/by-source-id/1 | python -m json.tool
 curl -d '{"ConceptIds":[2000000324,2000006885]}' -H "Content-Type: application/json" -X POST http://localhost:8080/concept/by-source-id/1 | python -m json.tool
 curl -d '{"ConceptTypes":["Measurement","Person"]}' -H "Content-Type: application/json" -X POST http://localhost:8080/concept/by-source-id/1/by-type | python -m json.tool

config/mocktest.yaml

@@ -0,0 +1 @@
+arborist_endpoint: 'https://arboristdummyurl'

controllers/cohortdata.go

@@ -9,16 +9,21 @@ import (
 	"strconv"
 
 	"github.com/gin-gonic/gin"
+	"github.com/uc-cdis/cohort-middleware/middlewares"
 	"github.com/uc-cdis/cohort-middleware/models"
 	"github.com/uc-cdis/cohort-middleware/utils"
 )
 
 type CohortDataController struct {
-	cohortDataModel models.CohortDataI
+	cohortDataModel  models.CohortDataI
+	teamProjectAuthz middlewares.TeamProjectAuthzI
 }
 
-func NewCohortDataController(cohortDataModel models.CohortDataI) CohortDataController {
-	return CohortDataController{cohortDataModel: cohortDataModel}
+func NewCohortDataController(cohortDataModel models.CohortDataI, teamProjectAuthz middlewares.TeamProjectAuthzI) CohortDataController {
+	return CohortDataController{
+		cohortDataModel:  cohortDataModel,
+		teamProjectAuthz: teamProjectAuthz,
+	}
 }
 
 func (u CohortDataController) RetrieveHistogramForCohortIdAndConceptId(c *gin.Context) {
@@ -44,6 +49,14 @@ func (u CohortDataController) RetrieveHistogramForCohortIdAndConceptId(c *gin.Co
 	cohortId, _ := strconv.Atoi(cohortIdStr)
 	histogramConceptId, _ := strconv.ParseInt(histogramIdStr, 10, 64)
 
+	validAccessRequest := u.teamProjectAuthz.TeamProjectValidation(c, []int{cohortId}, cohortPairs)
+	if !validAccessRequest {
+		log.Printf("Error: invalid request")
+		c.JSON(http.StatusBadRequest, gin.H{"message": "access denied"})
+		c.Abort()
+		return
+	}
+
 	cohortData, err := u.cohortDataModel.RetrieveHistogramDataBySourceIdAndCohortIdAndConceptIdsAndCohortPairs(sourceId, cohortId, histogramConceptId, filterConceptIds, cohortPairs)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"message": "Error retrieving concept details", "error": err.Error()})
@@ -85,6 +98,14 @@ func (u CohortDataController) RetrieveDataBySourceIdAndCohortIdAndVariables(c *g
 	sourceId, _ := strconv.Atoi(sourceIdStr)
 	cohortId, _ := strconv.Atoi(cohortIdStr)
 
+	validAccessRequest := u.teamProjectAuthz.TeamProjectValidation(c, []int{cohortId}, cohortPairs)
+	if !validAccessRequest {
+		log.Printf("Error: invalid request")
+		c.JSON(http.StatusBadRequest, gin.H{"message": "access denied"})
+		c.Abort()
+		return
+	}
+
 	// call model method:
 	cohortData, err := u.cohortDataModel.RetrieveDataBySourceIdAndCohortIdAndConceptIdsOrderedByPersonId(sourceId, cohortId, conceptIds)
 	if err != nil {
@@ -111,7 +132,7 @@ func generateCohortPairsHeaders(cohortPairs []utils.CustomDichotomousVariableDef
 	cohortPairsHeaders := []string{}
 
 	for _, cohortPair := range cohortPairs {
-		cohortPairsHeaders = append(cohortPairsHeaders, utils.GetCohortPairKey(cohortPair.CohortId1, cohortPair.CohortId2))
+		cohortPairsHeaders = append(cohortPairsHeaders, utils.GetCohortPairKey(cohortPair.CohortDefinitionId1, cohortPair.CohortDefinitionId2))
 	}
 
 	return cohortPairsHeaders
@@ -230,6 +251,14 @@ func (u CohortDataController) RetrieveCohortOverlapStatsWithoutFilteringOnConcep
 	controlCohortId, errors[2] = utils.ParseNumericArg(c, "controlcohortid")
 	conceptIds, cohortPairs, errors[3] = utils.ParseConceptIdsAndDichotomousDefs(c)
 
+	validAccessRequest := u.teamProjectAuthz.TeamProjectValidation(c, []int{caseCohortId, controlCohortId}, cohortPairs)
+	if !validAccessRequest {
+		log.Printf("Error: invalid request")
+		c.JSON(http.StatusBadRequest, gin.H{"message": "access denied"})
+		c.Abort()
+		return
+	}
+
 	if utils.ContainsNonNil(errors) {
 		c.JSON(http.StatusBadRequest, gin.H{"message": "bad request"})
 		c.Abort()
@@ -298,8 +327,8 @@ func (u CohortDataController) RetrievePeopleIdAndCohort(sourceId int, cohortId i
 	*/
 	personIdToCSVValues := make(map[int64]map[string]string)
 	for _, cohortPair := range cohortPairs {
-		firstCohortDefinitionId := cohortPair.CohortId1
-		secondCohortDefinitionId := cohortPair.CohortId2
+		firstCohortDefinitionId := cohortPair.CohortDefinitionId1
+		secondCohortDefinitionId := cohortPair.CohortDefinitionId2
 		cohortPairKey := utils.GetCohortPairKey(firstCohortDefinitionId, secondCohortDefinitionId)
 
 		firstCohortPeopleData, err1 := u.cohortDataModel.RetrieveDataByOriginalCohortAndNewCohort(sourceId, cohortId, firstCohortDefinitionId)

controllers/cohortdefinition.go

@@ -18,6 +18,7 @@ func NewCohortDefinitionController(cohortDefinitionModel models.CohortDefinition
 }
 
 func (u CohortDefinitionController) RetriveById(c *gin.Context) {
+	// TODO - add teamproject validation - check if user has the necessary atlas and arborist permissions
 	cohortDefinitionId := c.Param("id")
 
 	if cohortDefinitionId != "" {
@@ -35,39 +36,18 @@ func (u CohortDefinitionController) RetriveById(c *gin.Context) {
 	c.Abort()
 }
 
-func (u CohortDefinitionController) RetriveByName(c *gin.Context) {
-	cohortDefinitionName := c.Param("name")
-
-	if cohortDefinitionName != "" {
-		cohortDefinition, err := u.cohortDefinitionModel.GetCohortDefinitionByName(cohortDefinitionName)
-		if err != nil {
-			c.JSON(http.StatusInternalServerError, gin.H{"message": "Error retrieving cohortDefinition", "error": err.Error()})
-			c.Abort()
-			return
-		}
-		c.JSON(http.StatusOK, gin.H{"CohortDefinition": cohortDefinition})
-		return
-	}
-	c.JSON(http.StatusBadRequest, gin.H{"message": "bad request"})
-	c.Abort()
-}
-
-func (u CohortDefinitionController) RetriveAll(c *gin.Context) {
-	cohortDefinitions, err := u.cohortDefinitionModel.GetAllCohortDefinitions()
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"message": "Error retrieving cohortDefinition", "error": err.Error()})
+func (u CohortDefinitionController) RetriveStatsBySourceIdAndTeamProject(c *gin.Context) {
+	// This method returns ALL cohortdefinition entries with cohort size statistics (for a given source)
+	sourceId, err1 := utils.ParseNumericArg(c, "sourceid")
+	teamProject := c.Query("team-project")
+	if teamProject == "" {
+		c.JSON(http.StatusInternalServerError, gin.H{"message": "Error while parsing request", "error": "team-project is a mandatory parameter but was found to be empty!"})
 		c.Abort()
 		return
 	}
-	c.JSON(http.StatusOK, gin.H{"cohort_definitions": cohortDefinitions})
-}
-
-func (u CohortDefinitionController) RetriveStatsBySourceId(c *gin.Context) {
-	// This method returns ALL cohortdefinition entries with cohort size statistics (for a given source)
-
-	sourceId, err1 := utils.ParseNumericArg(c, "sourceid")
+	// TODO - validate teamproject against arborist
 	if err1 == nil {
-		cohortDefinitionsAndStats, err := u.cohortDefinitionModel.GetAllCohortDefinitionsAndStatsOrderBySizeDesc(sourceId)
+		cohortDefinitionsAndStats, err := u.cohortDefinitionModel.GetAllCohortDefinitionsAndStatsOrderBySizeDesc(sourceId, teamProject)
 		if err != nil {
 			c.JSON(http.StatusInternalServerError, gin.H{"message": "Error retrieving cohortDefinition", "error": err.Error()})
 			c.Abort()

controllers/concept.go

@@ -10,17 +10,23 @@ import (
 	"strconv"
 
 	"github.com/gin-gonic/gin"
+	"github.com/uc-cdis/cohort-middleware/middlewares"
 	"github.com/uc-cdis/cohort-middleware/models"
 	"github.com/uc-cdis/cohort-middleware/utils"
 )
 
 type ConceptController struct {
 	conceptModel          models.ConceptI
 	cohortDefinitionModel models.CohortDefinitionI
+	teamProjectAuthz      middlewares.TeamProjectAuthzI
 }
 
-func NewConceptController(conceptModel models.ConceptI, cohortDefinitionModel models.CohortDefinitionI) ConceptController {
-	return ConceptController{conceptModel: conceptModel, cohortDefinitionModel: cohortDefinitionModel}
+func NewConceptController(conceptModel models.ConceptI, cohortDefinitionModel models.CohortDefinitionI, teamProjectAuthz middlewares.TeamProjectAuthzI) ConceptController {
+	return ConceptController{
+		conceptModel:          conceptModel,
+		cohortDefinitionModel: cohortDefinitionModel,
+		teamProjectAuthz:      teamProjectAuthz,
+	}
 }
 
 func (u ConceptController) RetriveAllBySourceId(c *gin.Context) {
@@ -93,6 +99,14 @@ func (u ConceptController) RetrieveBreakdownStatsBySourceIdAndCohortId(c *gin.Co
 		c.Abort()
 		return
 	}
+	validAccessRequest := u.teamProjectAuthz.TeamProjectValidationForCohort(c, cohortId)
+	if !validAccessRequest {
+		log.Printf("Error: invalid request")
+		c.JSON(http.StatusBadRequest, gin.H{"message": "access denied"})
+		c.Abort()
+		return
+	}
+
 	breakdownConceptId, err := utils.ParseBigNumericArg(c, "breakdownconceptid")
 	if err != nil {
 		log.Printf("Error: %s", err.Error())
@@ -118,6 +132,14 @@ func (u ConceptController) RetrieveBreakdownStatsBySourceIdAndCohortIdAndVariabl
 		c.Abort()
 		return
 	}
+	validAccessRequest := u.teamProjectAuthz.TeamProjectValidation(c, []int{cohortId}, cohortPairs)
+	if !validAccessRequest {
+		log.Printf("Error: invalid request")
+		c.JSON(http.StatusBadRequest, gin.H{"message": "access denied"})
+		c.Abort()
+		return
+	}
+
 	breakdownConceptId, err := utils.ParseBigNumericArg(c, "breakdownconceptid")
 	if err != nil {
 		log.Printf("Error: %s", err.Error())
@@ -175,6 +197,15 @@ func (u ConceptController) RetrieveAttritionTable(c *gin.Context) {
 		c.Abort()
 		return
 	}
+	_, cohortPairs := utils.GetConceptIdsAndCohortPairsAsSeparateLists(conceptIdsAndCohortPairs)
+	validAccessRequest := u.teamProjectAuthz.TeamProjectValidation(c, []int{cohortId}, cohortPairs)
+	if !validAccessRequest {
+		log.Printf("Error: invalid request")
+		c.JSON(http.StatusBadRequest, gin.H{"message": "access denied"})
+		c.Abort()
+		return
+	}
+
 	breakdownConceptId, err := utils.ParseBigNumericArg(c, "breakdownconceptid")
 	if err != nil {
 		log.Printf("Error: %s", err.Error())

middlewares/auth.go

@@ -22,10 +22,11 @@ func AuthMiddleware() gin.HandlerFunc {
 	}
 
 	return func(ctx *gin.Context) {
-		req, err := PrepareNewArboristRequest(ctx, c.GetString("arborist_endpoint"))
+		req, err := PrepareNewArboristRequest(ctx)
 		if err != nil {
 			ctx.AbortWithStatus(500)
 			log.Printf("Error while preparing Arborist request: %s", err.Error())
+			return
 		}
 		client := &http.Client{}
 		// send the request to Arborist:
@@ -44,21 +45,33 @@ func AuthMiddleware() gin.HandlerFunc {
 }
 
 // this function will take the request from the given ctx, validated it for the presence of an "Authorization / Bearer" token
-// and then return the URL that can be used to consult Arborist regarding access permissions. This function
+// and then return the URL that can be used to consult Arborist regarding cohort-middleware access permissions. This function
 // returns an error if "Authorization / Bearer" token is missing in ctx
-func PrepareNewArboristRequest(ctx *gin.Context, arboristEndpoint string) (*http.Request, error) {
+func PrepareNewArboristRequest(ctx *gin.Context) (*http.Request, error) {
+
+	resourcePath := fmt.Sprintf("/cohort-middleware%s", ctx.Request.URL.Path)
+	service := "cohort-middleware"
+
+	return PrepareNewArboristRequestForResourceAndService(ctx, resourcePath, service)
+}
+
+// this function will take the request from the given ctx, validated it for the presence of an "Authorization / Bearer" token
+// and then return the URL that can be used to consult Arborist regarding access permissions for the given
+// resource path and service.
+func PrepareNewArboristRequestForResourceAndService(ctx *gin.Context, resourcePath string, service string) (*http.Request, error) {
+	c := config.GetConfig()
+	arboristEndpoint := c.GetString("arborist_endpoint")
 	// validate:
 	authorization := ctx.Request.Header.Get("Authorization")
 	if authorization == "" {
 		return nil, errors.New("missing Authorization header")
 	}
 
 	// build up the request URL string:
-	resourcePath := fmt.Sprintf("/cohort-middleware%s", ctx.Request.URL.Path)
 	arboristAuth := fmt.Sprintf("%s/auth/proxy?resource=%s&service=%s&method=%s",
 		arboristEndpoint,
 		resourcePath,
-		"cohort-middleware",
+		service,
 		"access")
 
 	// make request object / validate URL:

middlewares/teamprojectauthz.go

@@ -0,0 +1,87 @@
+package middlewares
+
+import (
+	"log"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/uc-cdis/cohort-middleware/models"
+	"github.com/uc-cdis/cohort-middleware/utils"
+)
+
+type TeamProjectAuthzI interface {
+	TeamProjectValidationForCohort(ctx *gin.Context, cohortDefinitionId int) bool
+	TeamProjectValidation(ctx *gin.Context, cohortDefinitionIds []int, filterCohortPairs []utils.CustomDichotomousVariableDef) bool
+	TeamProjectValidationForCohortIdsList(ctx *gin.Context, uniqueCohortDefinitionIdsList []int) bool
+}
+
+type HttpClientI interface {
+	Do(req *http.Request) (*http.Response, error)
+}
+
+type TeamProjectAuthz struct {
+	cohortDefinitionModel models.CohortDefinitionI
+	httpClient            HttpClientI
+}
+
+func NewTeamProjectAuthz(cohortDefinitionModel models.CohortDefinitionI, httpClient HttpClientI) TeamProjectAuthz {
+	return TeamProjectAuthz{
+		cohortDefinitionModel: cohortDefinitionModel,
+		httpClient:            httpClient,
+	}
+}
+func (u TeamProjectAuthz) hasAccessToAtLeastOne(ctx *gin.Context, teamProjects []string) bool {
+
+	// query Arborist and return as soon as one of the teamProjects access check returns 200:
+	for _, teamProject := range teamProjects {
+		teamProjectAsResourcePath := teamProject
+		teamProjectAccessService := "atlas-argo-wrapper-and-cohort-middleware"
+
+		req, err := PrepareNewArboristRequestForResourceAndService(ctx, teamProjectAsResourcePath, teamProjectAccessService)
+		if err != nil {
+			ctx.AbortWithStatus(500)
+			panic("Error while preparing Arborist request")
+		}
+		// send the request to Arborist:
+		resp, _ := u.httpClient.Do(req)
+		log.Printf("Got response status %d from Arborist...", resp.StatusCode)
+
+		// arborist will return with 200 if the user has been granted access to the cohort-middleware URL in ctx:
+		if resp.StatusCode == 200 {
+			return true
+		} else {
+			// unauthorized or otherwise:
+			log.Printf("Status %d does NOT give access to team project...", resp.StatusCode)
+		}
+	}
+	return false
+}
+
+func (u TeamProjectAuthz) TeamProjectValidationForCohort(ctx *gin.Context, cohortDefinitionId int) bool {
+	filterCohortPairs := []utils.CustomDichotomousVariableDef{}
+	return u.TeamProjectValidation(ctx, []int{cohortDefinitionId}, filterCohortPairs)
+}
+
+func (u TeamProjectAuthz) TeamProjectValidation(ctx *gin.Context, cohortDefinitionIds []int, filterCohortPairs []utils.CustomDichotomousVariableDef) bool {
+
+	uniqueCohortDefinitionIdsList := utils.GetUniqueCohortDefinitionIdsListFromRequest(cohortDefinitionIds, filterCohortPairs)
+	return u.TeamProjectValidationForCohortIdsList(ctx, uniqueCohortDefinitionIdsList)
+}
+
+// "team project" related checks:
+// (1) check if all cohorts belong to the same "team project"
+// (2) check if the user has permission in the "team project"
+// Returns true if both checks above pass, false otherwise.
+func (u TeamProjectAuthz) TeamProjectValidationForCohortIdsList(ctx *gin.Context, uniqueCohortDefinitionIdsList []int) bool {
+	teamProjects, _ := u.cohortDefinitionModel.GetTeamProjectsThatMatchAllCohortDefinitionIds(uniqueCohortDefinitionIdsList)
+	if len(teamProjects) == 0 {
+		log.Printf("Invalid request error: could not find a 'team project' that is associated to ALL the cohorts present in this request")
+		return false
+	}
+	if !u.hasAccessToAtLeastOne(ctx, teamProjects) {
+		log.Printf("Invalid request error: user does not have access to any of the 'team projects' associated with the cohorts in this request")
+		return false
+	}
+	// passed both tests:
+	return true
+}